Explore observability through security assessment
Observability is also essential for security monitoring and assessment, facilitating detection of and response to security incidents. Security observability includes monitoring for abnormal patterns indicating potential threats, identifying vulnerabilities in software and the underlying infrastructure, and auditing activities in the monitored environment. The organization in the sample scenario was subject to several security exploits, which could have been prevented or at least mitigated by applying the principles of security observability. In this unit, learn about some of the more common ways of applying these principles.
How to apply the principles of security observability?
Security techniques, which are part of the DevSecOps strategy can be grouped into two main categories depending on whether they focus on preventing breaches or whether they're part of the assumed breach approach. The DevOps planning, development, and delivery stages focus primarily on breach prevention by using such techniques as threat models, security development lifecycle, code reviews, static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA). In the operational stage, it's common to combine breach prevention and assume breach techniques, including war game exercises, live site penetration tests, security monitoring, and security assessment.
War game exercises are events where two teams, referred to as red and blue, are tasked with assessing the security of a given environment. The red team takes on the role of an attacker. It attempts to emulate real-world attacks in order to find gaps in security and use them to demonstrate the potential impact of their exploits. The blue team assumes the role of a defender. Its objective is to detect and respond to the red team's attacks.
Live site penetration tests are performed by authorized security professionals who actively attempt to exploit vulnerabilities in the target environment. The objective is identifying, assessing, and remediating these vulnerabilities before they're subject to actual exploits.
Security monitoring and security assessment are integral components of DevOps security observability, contributing jointly to the continuous and proactive identification, analysis, and response to security-related events and vulnerabilities. Security monitoring largely follows the same approach as the one applicable to performance monitoring, collecting real-time telemetry, such as metrics, logs, and traces to track overall security of your workloads. Security assessment relies on that telemetry to evaluate security of the organization's information systems, applications, and infrastructure in order to identify vulnerabilities, assess risks, and provide recommendations for their remediation.
It's common to use for this purpose a dedicated solution that implements the Security Information and Event Management (SIEM) functionality, such as cloud-hosted Microsoft Sentinel. Microsoft Sentinel combines telemetry data from a wide range of sources, automatically correlating them and looking for patterns by using artificial intelligence and machine learning.
You can also take advantage of the functionality built into Microsoft DevOps platforms, such as GitHub or Azure DevOps. In particular, GitHub offers many tools that implement security monitoring and assessment, such as GitHub Advanced Security.
Its Dependabot automatically scans repos-hosted software for any external dependencies, searching for known vulnerabilities against the GitHub's Advisory Database. In case such vulnerabilities are found, Dependabot automatically generates pull requests to upgrade them to nonvulnerable versions.
GitHub Advanced Security combines several security features and capabilities that enhance software delivery workflows including code scanning, secret scanning, and dependency reviews. For example, Security Code Scanning scans repo-hosted source code, detecting security vulnerabilities and programming errors.
It integrates with GitHub Actions, allowing for automated and continuous code analysis as part of CI/CD workflows.